Feeds

Securing the world for lost, bio-diesel car drivers

And did we mention The Ashes?

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Letters A varied haul this week, that's for sure. We've got thoughts on security, women and Microsoft certification, technology and education, and of course, the question of whether or not cats should be used to make fuel. It seems this last one is a real opinion divider.

Still, before we descend into the dungeons of daftness, let's kick off with some reactions to Gartner's call for security to be rebranded as "risk management", and handed over to business managers to run. No prizes for guess what the balance of opinion was on this one:

It think this is absolute nonsense, business people cannot replace or do the job that trained information system security professionals can do. There will always be a need to bridge the gap between business and IT, especially where security is concerned, but to suggest that that gap can be replaced by a person who has primarily business training is ludicrous and dangerous to a company. How will this person deal with virus, or hack incident or denial of service attempt? There aren't currently any business programs that teach information security anyway.

AM


As a technical and security specialist (with an MBA) I have to disagree with some elements of this article.

I am currently working on contract as an IT Security Consultant at a large insurance company which shall remain nameless.

They have, like Barclay's, ABN Amro and many other financial institutions, followed Gartner's recommendations and re-branded their IT Security department as "risk management". Ours is called "Group IT Risk", Barclay's is called "Information Risk Management" (IRM).

We now spend all our time doing "risk assessments" for projects, estimating probability and impact, and producing excellent reports for project managers to add to their project risk registers. Risk, Risk, Risk!

But we are still running Win2K SP2 not SP4, we still got infected by Zotob, we have RealSecure Personal Firewall on our 3000 legacy NT desktops but we don't have anyone to watch the SiteProtector console, our CSIRT Incident management process still looks like chickens running around with their heads cut off, it still took 48hrs for our outsourced networking partner to realise that what was thought to be a DoS attack on a core internet router was in fact due to mis-configuration of one part of a VRRP router config that had never been tested properly etc etc etc.

The baseline security of the organisation is extremely poor, and this is not (and will not) be improved by focussing on trendy risk management processes.

What it will be improved by is old-fashioned A/V updates, patch management, configuration management, strict change management with oversight by IT Security, rigorous scanning of the network for new (and rogue) devices, hardened servers, IDS/IPS systems with a well-trained SOC to watch the consoles, good communication plans and awareness schemes, hard disk encryption, BIOS passwords, spam content filters, internet content filters etc etc.

All the bog standard stuff that is on the top ten security controls list and has been for the past 5-10 years!

It's also the same stuff that is deemed "boring" by our Risk and Gartner Best Practice obsessed, Ernst and Young benchmarked, new-wave Information Risk Management.

It's also the same stuff that the Business screams for once a nice juicy worm takes out a thousand desktops - conveniently ignoring the fact that they weren't prepared to sign-off the business case to implement it pro-actively because the cost/benefit case was hard to quantify.

The Business will also conveniently ignore that they DID sign-off on a "risk assessment" that said staying on SP2 probably was a really bad idea, the same way they will sign-off on building the DR data centre in the tower next door rather than 10mi away because it saves a few mill. Hey, both Towers are never going to fall down at once, are they?

And that is at the heart of the problem - humans are very, very bad at estimating risk. You are hundreds of times more likely to drown at the beach than get eaten by a shark... but which do people worry about more? In the US many parents probably wouldn't let their children go and play at the neighbours if were unsecured guns in the house, but would happily let them go and play in the neighbours pool on a hot day... but the statistics show that your child is 200x more likely to drown in the pool than get shot with the neighbours gun. (See "Freakonomics" for more details).

Risk Management as a tool of project governance to get IT projects to examine the risks, implement mitigating controls and prepare contingency plans in case the worst happens is excellent discipline.

It's just not a replacement for IT Security.

cheers,

Steve


I believe that companies which attempt to have non-techies handling their security risk management, will end up in trouble.

Considering the recent hurricane. While the professional politicians and news analyts are playing the blame game, one major factor to the damage was the failure of the levy system....

The levy system was supposed to be able to withstand only a category 3 hurricane. (If even that, due to lack of maintenance.)

One could argue that it was risk management at work. The odds of a cat 5 hitting New Orleans is so small, why not take that risk? (The downside is that one did hit and the total damage in insured property greatly outweigh the cost of building the levy system to take a cat 5 hurricane.)

I agree that you can't call wolf at every perceived risk. But how can a "business type" manage these risks if they really don't understand the potential damage that can occur?

Ian

There might be a few dissenters over the risk of a cat5 storm hitting the gulf coast... If we remember correctly, it was flagged as one of three serious threats to the US at the start of Dubya's terms in office. The other two, you ask? Oh, a terror attack in New York and a big quake in California. Two outta three, and still time to go...


The government is spending millions on it, but is it doing any good? Teachers aren't sure and by the sounds of things, you lot are not big fans of technology in the classroom, at least, not just for technology's sake:

Teachers think computers interfere with genuine learning? That's because THEY DO. And they top slice the money from the education budget so there's less to spend on real education.

I spent a happy (not) weekend trying to sort out an interactive whiteboard in my wife's primary classroom - she was worrying at night because an inspector would be coming and she wasn't using it effectively. We had to:

a) position a free standing whiteboard screen on castors - because the education department found by saving on wall mounted boards they could put more into schools b) position a projector on a projector table - because they could put more in by saving on ceiling mounted projectors c) position the board where it could be seen by all the pupils in a classroom designed for 25 student, currently running with a class of 33, being sure none of the pupils were sitting under the bit of roof that leaked d) run extension cables to the (top of the range) laptop and projector, because by saving on electrician fees they could put more into schools e) put rubber trip strips over the cables, because children have to be able to get around the classroom. f) rearrange it all, because the children kept knocking the projector table when going to get paper and scissors from the resources drawers

etc., etc.

This is money which has been topsliced from the education budgets - i.e. by doing this they have lees for teachers, classroom assistants, wholesome school meals, fixing roof leaks etc., and is totally galling. While the commercial sector now sees provisions (hardware and software) as almost always being a small item against deployment, implementation support, installation etc., education departments still work on the basis that most of their procurement budget should go on kit and licences. The learning objectives are driven by the kit, not the procurement by the desired outcome. It pisses me off when the government boast about how much they're spending on IT in schools when said IT is so profoundly damaging to education.

Dunstan


Sadly the findings of the report are not surprising. As a school governor I have found that although the Government made a big thing about giving every teacher a laptop they didn't bother with any training. So most teachers have a state of the art laptop but no real idea how to use it effectively. One told me "the kids learn/know more about it than us". This is another example of joined up thinking - not!

Btw the spec of the computer is rigidly defined and only available from certain suppliers so not surprisingly the price is not what you might call competitive but that's another issue...

Rob


My wife's a teacher and I have long berated her for her timidity in using IT in the classroom. But she counters with the strong point that the stuff they are given is just not reliable. She's now in a brand new, wonderfully equipped primary school with whiteboards in every room, a wireless network everywhere and a commitment by management to run the school electronically. But nothing works. The hired geeks have reconfigured the network several times but it doesn't stay up long enough for them to demonstrate that, clearly, it's all the teachers' fault. The benefits that an electronic whiteboard brings over its analogue equivalent are real but finite, and they completely evaporate when the thing malfunctions and the lesson has to be abandoned.

It's not that they've bought the cheapest possible kit -- it appears to be reasonable quality. They've even paid for training (though I'm uncertain that it's very high quality). The real problem is that there's nothing in the budget for in-house geeks to be hovering round fixing the problems as they occur. Those of us who've lived with Windows in business know that these people are absolutely necessary because the technology is simply not robust, and isn't designed to be fixed by ordinary people when it fails. Of course, the answer for a school is to use a different operating system -- Mac OS X springs to mind -- but that is never even contemplated...

Name withheld


Seeing the enormous increase in wasted meeting time that electronic whiteboards and laptops have brought to corporate meetings, I have to applaud the teachers for resisting them. Education is a tough enough business without having to drag tech bloat into the fray.

Mike


Dr. Debbie Ellen, the boffin behind the study of how many women engineers it certifies, would like to take this opportunity to clarify her research. The response to the original article was, in some cases, extremely hostile. She thinks some of the writers may have missed the point:

As one of the authors of the report that was the subject of Mark Ballard\'s article Microsoft trying to track down Engineers (9th August 2005), I feel I should respond to the letters published on 12th August.

Firstly, the database referred to by the reader that asserts: "the MCSE data is most definitely "owned" by Microsoft, and gender is a cross referenceable field associated with the account of the MSCE qualified engineer" is not publicly available and requests to Microsoft to use the data held there have been rejected. My understanding of the system is that people with certification can use the system - but it is not obligatory -so data held within the system will not give a comprehensive picture anyway.

This issue is part of a much wider problem with vendor specific certifications which are offered by private companies, who are not currently required to collect diversity data. Our report called for government action to address this issue.

With regard to the other letters published I feel that some readers have taken the wrong impression from the article. Our report is available for download at: http://www.jivepartners.org.uk/activities/publications.htm. By reading the report I hope that people see that we were not stating that women needed to work in a women only environment. Indeed many of our respondents were already working predominantly male teams across a range of sectors. We were also not calling for a reduction in the number of men working in this area; rather we sought to open up greater opportunities to women, who tend to get stuck in the lower paid jobs, by offering them access to this training.

The only other comment I will make is that I was disappointed, but sadly not surprised by some of the appalling comments in the letters. In many ways they make the case for the need to offer such opportunities to women as well as a three year research study has done.

Dr. Debbie Ellen


Sometimes a story is just too good to pass up, even if the really cool part turns out not to be true. So when German inventor Dr Christian Koch denied using cats to make bio-diesel, we still had to run the story:

Of course it's possible to make fuel out of organic matter {plants, animals, and anything made out of either}. That's exactly what petroleum oil is! The trick is that in the laboratory, you can create sufficiently high temperatures and pressures to do the job in a few hours as opposed to millions of years.

{Of course, G. W. Bush and co probably believe that the Earth is really only a few thousand years old and that God would never have put that oil under the ground in the first place if He did not want us to use it.}

AJ


Crikey - do I detect the resurrection of the septic tank?

Imagine the following: A huge septic tank to catch all your bio-waste, heating of same to 300 degrees, with another tank (with spigot at the front of the house) for diesel, plus using the extra heat to heat water, the house, etc.

If I wasn't living in a new development, I'd go hug a tree. Perhaps a scaffolding post will do...

Edwin


Never mind the cats, beef lard or dead rats--road kill's the obvious fuel source!

What sort of mileage per hedgehog? That's the question I want answered.

Butting


Shame. I hate cats. The world would be a cleaner place without them. Too many fairy stories about Pied Pipers. Folk should grow up. The food they consume is often of higher quality than humans eat; that being so, it would be better used to alleviate the starving world. Better still, let's see if the rumours about Asian gourmets are true and [if they] can provide suitable cat recipes.

Anon


In-car satellite navigation systems really are a great invention. We suspect the gadgets have considerably reduced the number of spousal arguments about (a) her map reading abilities and (b) his reluctance to ask for directions had on the way to family gatherings, important meetings etc. In so doing, they have probably lowered the future divorce rate, and reduced the potential earnings of some lawyers.

Shame about them sometimes going wrong, then:

Hmm. Does this explain why our TomTom 500 has been taking us some very peculiar routes this week? We live in a rural area - Hebden Bridge, West Yorkshire - and my parents live in a place called Chorley, near Preston in Lancashire.

The unit took us via primary routes, ie main roads and motorways, to get there but coming back decided to take us into the hills and far away. It was like The Blair Witch Road Movie.

Twice TomTom tried to get us to drive into a muddy field - actually, the farmer on the land says it has done this more than several times to unsuspecting motorists - and it has also developed a fondness for stone walls overlooking reservoirs, muddy ditches which conceivably may have been travellers' paths a couple of millennia ago.

We got home two hours over the actual time it should have taken us, our nerves shredded and our car scraped after one of TomTom's psychotic episodes.

We now look on the machine as a useful tool under some circumstances, but never to be entirely trusted - especially in the countryside.

Andy


Steve Ballmer says he never threw a chair in his life. You think you know why:

No doubt Mr Ballmer did not throw a chair, however, knowing Microsoft's propensity of redefining standards normally accepted in the industry, who is to say that they haven't redefined the basic concept of a chair - I can see it now, flat bit, back rest, support leg(s), it has to be the all new Microsoft Laurel v1.0. Having rested on their laurels for so long, the corporation probably doesn't know that other companies call them chairs.

T.


We also drew attention to the alarming similarity between the new Quark logo and that of the Scottish Arts Council. You were unable to let this pass without comment, and frankly, why should you?

Wow.

I wonder how much those designers got paid to draw that logo? It must be all of almost two circles and half a square. Seriously, they may as well have just gone for a doughnut. Here is my artist's ASCii representation:

O

The humble doughnut represents Quark sitting around on its fat corporate arse long enough for Adobe to come in and obliterate it with InDesign - thank god. The logo would be coloured luminescent pink with rainbow sprinkles.

It really was an evolution. The more I played with the pink donut, the more it came to represent so many things about Quark: poorly planned product cycles, expensive add-ons which can be done better elsewhere and complete failure to act when a cooler, healthier product came along. It just seemed to make sense.

It's okay, I don't expect to get any money from Quark. That one's free.

Mike


Well, Quark's new logo is almost the same that a local cellphone (or mobe) company has.

Rodrigo (from Chile)


Lastly, we turn to the week's sport. Well, only because we're talking about an apparent lack of 3G knowledge in the land down under. Which is also the place the Ashes won't be returning to. Oh, sorry, did we already mention that? Some Australians write:

Aussies know about 3G - we also know the per kb cost is too high to make its use worthwhile.

In other news, Aussies directed to lose cricket by Murdoch in a bid to spice up cricket prior to paid broadcasts :-)

Tim


Just wanted to make 2 points: first is that we know about 3G, we just don't care.

Second, congrats on the Ashes success. Was well played and a well-earned win - and it's about time the Poms beat us at something!

Peter.

Thanks.

We were going to mention the rugby at this point, but frankly, neither nation can really hold its head high on that, so we'll stick to trading cricket and swimming related jibes. Deal?


You cheeky bugger - dropping an Ashes blurb into the bottom of a 3G article. And there I was thinking I would be able to read tech news and get away from any Ashes news for a few minutes.

cheers, Greg.

Heh heh heh.


That's all folks. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Oz carrier Tiger Air takes terror alerts to new heights
Don't doodle, it might cost you your flight
WRISTJOB LOVE BONANZA: justWatch sex app promises blind date hookups
Mankind shuffles into the future, five fingers at a time
Every billionaire needs a PANZER TANK, right? STOP THERE, Paul Allen
Angry Microsoftie hauls auctioneers to court over stalled Pzkw. IV 'deal'
Oi, London thief. We KNOW what you're doing - our PRECRIME system warned us
Aye, shipmate, it be just like that Minority Report
Apple's Mr Havisham: Tim Cook says dead Steve Jobs' office has remained untouched
'I literally think about him every day' says biz baron's old friend
Cops apologise for leaving EXPLOSIVES in suitcase at airport
'Canine training exercise' SNAFU sees woman take home booming baggage
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.